- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Blocking another machine from another machine.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Blocking another machine from another machine.
I need to block on server from communicating with another one within the same subnet. How would I do that from our FGT?
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Likely the best way to do this is from the machine's own firewall settings. Technically, the Fortigate can only control/restrict traffic if that traffic is going through it; if you have two machines on the internal network, communicating via switches or both are on the same switch, the Fortigate may not even see that traffic. If the Fortigate was set in transparency mode you may have better options.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Makes sense. Thank you for responding.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you change the server's IP address to some value outside of the (common) subnet, and specify the FGT to be the gateway for this, all traffic to and from the server has to cross the FGT. You would create an 'internal -> internal' policy and have control over the routed traffic.
Think of the consequences and if nothing else stands in the way, it's feasable.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all
this what is written here is not 100% sure which means following:
- What is the reason behind that on a standard configuration on a FGT clients/server within the same subnet can comunicate each othere without going over the FGT?
The answer is following which means following command:
# config system interface
# edit [Name of the interface]
# set icmp-redirect enable
# end
This means "icmp-redirect" is enabled by default WHY? If y client A connected to the FGT and request's client B in the same subnet as client A what happens exactly (in a very short overview):
--> Client A request Client B with ARP Request because no ARP available local ("who has")
--> ARP request is reaching the FGT (Default GW IP of FGT) and FGT is Broadcasting itsefl "who has".
--> Client B is answer to FGT "I am" (including MAC Address)
--> FGT send's "icmp-redirect" to Client A including the MAC Address and information of "icmp-redirect" which means actually:
Here is the information "MAC/IP" and please Client B is in same subnet as you do not come to me go direct!
This is the reason the traffic goes not over the firewall because "icmp-redirect" is enabled Client A/B can comunicate direct and you do not need any Firewall Policy on the FGT. If you like to prevent this disable "icmp-redirect" and the FGT does not send to Client A a "icmp-redirect" and the traffic will go over the FGT (because of Default Gateway points the client to FGT) and you HAVE TO implement a Firewall Policy which allows traffic from Client A to B and viserverse etc. Of course if "icmp-redirect" is disabled and if Client A makes a static ARP entry of Client B local the traffic would also go direct and not over the FGT.
This in short words/overview why or what is responsible that intercomunication between clients within a subent directly connected to the FGT is possible or not as needs or not a Firewall Policy on a FGT. Be careful if you disable "icmp-redirect" and be aware that ALL traffic within a subnet is going over the FGT (performance).
hope this helps
have fun
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I disagree, simply because of a PCs routing table. All traffic destined for the local subnet uses the local IP as the gateway.
C:\Users\rpatterson>netstat -r ... IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.151.250 192.168.151.121 266 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.151.0 255.255.255.0 On-link 192.168.151.121 266 192.168.151.121 255.255.255.255 On-link 192.168.151.121 266 192.168.151.255 255.255.255.255 On-link 192.168.151.121 266 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.151.121 266 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.151.121 266 =========================================================================== Persistent Routes: Network Address Netmask Gateway Address Metric 0.0.0.0 0.0.0.0 10.131.24.4 Default 0.0.0.0 0.0.0.0 192.168.151.250 Default =========================================================================== ...
Basically, the Fortigate is removed from the routing equation by the local device.
My two cents...
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let's not complicated things; OP wanted to block one machine from another machine, on the same subnet: the simplest and easiest solution is to use the machine's own firewall for the blocking. IMHO. :)
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dave Hall wrote:AgreedLet's not complicated things; OP wanted to block one machine from another machine, on the same subnet: the simplest and easiest solution is to use the machine's own firewall for the blocking. IMHO. :)
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Related Posts
- Block inside attacks 62 Views
- Automatically Ban Malicious Inbound IPs using... 58 Views
- Which Firewall of Fortigate help me... 108 Views
- FortiOS 7.2.8 WAF Event ID not... 158 Views
- Fortiproxy BSOD Netio.sys 101 Views
Labels
-
FortiGate
6,453 -
FortiClient
1,289 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
67 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.